Skip to main content

Revenue and Customs: Data Loss

Volume 696: debated on Wednesday 5 December 2007

asked Her Majesty’s Government:

Further to the Statement by the Chancellor of the Exchequer on 20 November about the loss of data by HM Revenue and Customs, whether any further details have come to light over the loss of the data; and whether any more files containing confidential personal information are unaccounted for.

My Lords, the police continue to have no reason to believe that the child benefit data have fallen into the wrong hands. On 20 November, the Chancellor announced an independent review of HMRC’s data-handling procedure to be conducted by Kieran Poynter, the chair of PricewaterhouseCoopers.

My Lords, I thank the Minister for that reply but since the Chancellor made his Statement two weeks ago, we have heard that both the banks and the National Audit Office have publicly disagreed with his version of events. We now know that none of the data was encrypted and that the letters of apology that were subsequently sent contained confidential information, with some being sent to the wrong addresses; worst of all, the disks have not been found. Does the Minister agree that it would be difficult to find a more comprehensive example of incompetence?

My Lords, the Chancellor made it clear in his Statement how much he regretted this grievous error in data-handling by the department. However, the noble Baroness will recognise that the Government have put in hand procedures to guarantee that it does not happen again, and that is the issue about which the nation is exercised.

My Lords, we have lessons to learn and that is why Kieran Poynter is to produce a report, which the Chancellor will bring to the attention of the other place. However, a new three-step procedure has already been established for staff who handle requests for bulk data transfers. Transfers take place only when, in addition to being lawful, they are absolutely necessary, when written authorisation has been given by a senior manager and when clear instructions have been given regarding the appropriate standard of protection for the transfer. The Government have already taken that appropriate action in response to this grievous mistake.

My Lords, the Minister may be aware of the “Panorama” programme on Friday last week in which a professor of computing at Cambridge said, “We have warned the Government repeatedly that if you have a very large database with a very large number of people having access to it, it is not a question of if but when there will be a breach of security”. Is that not a lesson which the Government should have learnt and which they should not have to relearn now?

My Lords, I am glad that the noble Earl is able to be so categorical about these issues in advance of the report which is being prepared for the Chancellor and which we shall all have the opportunity to discuss. However, if the burden of the noble Earl’s contribution is that the Government should cease to use computers and data collection extensively, how does he think that administration will be carried on in this country?

My Lords, following this debacle, can the Minister give assurances that the powers of the Information Commissioner can be strengthened to prevent further loss of confidential information? Does the Minister agree that there is a strong case for more shared managed services in the public sector, which will provide both technical and, just as importantly, best-practice management support to prevent further breaches?

My Lords, that may indeed be an important point on which Kieran Poynter comments. The Information Commissioner has an important role to play in this respect, and he recognises that he has an important contribution to make to this debate. However, we should not underestimate the challenges presented by data collection. What is important, as the noble Lord suggested, is that we learn from all levels of expertise what needs to be done and then carry that out as soon and forthrightly as possible. The Chancellor has indicated that by the action he has already taken.

My Lords, has my noble friend seen the extremely worrying report in today’s Daily Telegraph that the Information Commissioner has had several reports from private industry about the failure to protect data? Does it not show that it is not only the Government who are at fault but that laxity in data protection is widespread?

My Lords, other large organisations have had embarrassments in data protection. Nevertheless, we have laws in place to protect the public so far as private authorities are concerned, and the same laws obtain with government departments that handle sensitive information. We have to reassure the public and regain public confidence in the wake of the problem that arose a month or so ago and, as I indicated, that is exactly how the Government are acting.

My Lords, on reassuring the public, the Minister will be aware that, on 21 November, the Prime Minister announced that the Cabinet Secretary and security experts were reviewing the storage and use of data across all government departments. The Government subsequently announced that there will be a Statement when that review is completed. Given the considerable public concern and urgency on this issue, can the Minister give us an indication of the timetable for the completion of that review? In particular, may we have an assurance that, at the very least, an interim Statement will be made before the House rises for the Christmas Recess?

My Lords, it is a very large review and I do not have a detailed timetable on its completion. However, the Chancellor is expecting at least an interim report from Kieran Poynter on the specific difficulties. I understand entirely the noble Lord’s comment that there are wider issues at stake—there are, and they have increased urgency as a result of this development. However, I cannot give him the assurance that we will be in a position to make a report before Christmas-time.

My Lords, is the Minister aware that, even if these disks have not gone astray, and we all hope that they have not, there is also the scandal that individuals' personal financial details, which were given to a government department under confidentiality that has hitherto always been observed, were sent to the National Audit Office even though the National Audit Office has made it clear that it did not need them? It is important that we know which Minister authorised this unprecedented disclosure. Can the noble Lord guarantee that this will not happen again?

My Lords, the noble Lord will recognise that he has largely reiterated what the Chancellor relayed to the House in October. As for guaranteeing the situation for the future, action is already being taken to increase security of the information. If he is asking me to say that any Government can guarantee that no mishap will ever occur, I am not able to do that. However, I can assure him that we have put in place processes that clearly ought to have been followed when this event occurred. Those processes have been reinforced and re-established so that everyone in the Civil Service is aware of the new constraints. Those are the protections for the information that is given to government. Of course I agree with him that, when the public give this information to government, they expect it to be protected.